- Privacy Notice
- Data Processor Agreement
- End User Licence Agreement
- API Agreement
- Standards of Business Conduct
- Human Rights
- Transparency Act
The Customer consenting to these terms (“Customer” or “Data Controller”) and the entity responsible for providing 24SevenOffice ERP in your region or Country (or any entities owned by 24SevenOffice (“24SevenOffice” or “Data Processor”) have entered into this Data Processor Agreement (DPA) (“Agreement”) This Agreement will replace any previously applicable data processor agreements or terms previously applicable to privacy, data processing and/or data security.
This Agreement shall provide for the processing of personal data in accordance with the regulation under the EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data implemented into Norwegian legislation in the Personal Data Act of 14 April 2000 no. 31 with regulation, and in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Norwegian "Lov om behandling av personopplysninger (personopplysningsloven)" which replaces the Personal Data Act with regulations which implements the General Data Protection Regulation (jointly called “Personal Data Regulation” in the following).
2. Purpose of this Agreement
This Agreement governs the Data Processor’s processing of the Personal Data on behalf of the Data Controller to perform its Services under the Services Agreement. The Data Processor shall process the Personal Data only for the approved purpose and in accordance with applicable laws, this Agreement and the Customer License Agreement (CLA). The purpose of the processing, duration of processing, type of processing and types of personal data to be processed is covered in this Agreement and ensures that personal data is processed in accordance with the requirements of the Data Protection Regulation. Data Processor shall process personal data in the manner described in this Agreement.
3. Personal data to be processed
24SevenOffice is both a data processor and data controller. As a controller 24SevenOffice processes personal data as described in Privacy Notice 1. What personal data do 24SevenOffice process? As a data processor, 24SevenOffice has no access to data controllers data without consent (e.g. CLA or terms), but stores and delivers the 24SevenOffice ERP service to customers. The customers are data controllers and responsible for the data input into the 24SevenOffice ERP service.
4. Data Processor rights and duties
The Data Processor confirms that it will implement appropriate technical and organizational measures that ensure that all processing under this Agreement meets the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject. The Data Processor shall only process the personal data under the instructions given by the Data Controller. The Data Processor shall be able to document such instructions if requested. The Data Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Data Controller.
Access to personal data
The Data Processor will not access any other personal data than what is necessary to perform its tasks as a Data Processor. The Data Processor may give the Data Processor limited permission to access data for support purposes, but not without consent. The Data Processor shall not use personal data for any other purposes than the ones that is listed in the Privacy Notice 6. How 24SevenOffice use Account Information
The Data Processor and its subcontractors has a duty of confidentiality regarding personal data that he or she has access to as a result of the Agreement and processing of personal data, and shall ensure that persons authorized to process the personal data have committed themselves to processing the information confidentially or subject to an appropriate statutory duty of confidentiality. This provision also applies one (1) year after the termination of the Agreement, if the content of the information has not been publicly known within this period. The Data Controller is responsible for updating and correcting personal data that is wrongfully registered. The Data Processor shall not disclose any information or information it processes to any third party without informing the Data Controller. Inquiries of such information to Data Processor, the Data Processor shall pass on to the Data Controller as soon as possible. Any requests with regard to the personal data or the processing from third parties or the data subject shall be forwarded to the Data Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Data Controller. If the Data Processor is in the opinion that an instruction by the Data Controller infringes the Personal Data Regulation, the Data Processor shall immediately inform the Data Controller. The Data Processor is however obligated to perform its duties under this Agreement and any instructions by the Data Controller regardless of its opinion on infringement.
The Data Processor shall assist the Data Controller in ensuring compliance with the Personal Data Regulation (e.g. giving information and advice when producing a data protection impact assessment ‘DPIA’ or responding to data subject’s right requests.
5. Data Controllers rights and duties
Data Controller is responsible for lawful processing of personal data and observing the rights of data subject, including collecting data subject consents and requests. The Data Controller determines the purposes of the processing of personal data and has the rights described in the Privacy Notice 8. What is my rights. The Data Controller retains the formal control of and all ownership and rights to the personal data. The Data Processor shall have no rights in or to the personal data other than the non-exclusive, revocable and time limited right to process the personal data for the approved purpose. The Data Controller may in its sole discretion withdraw consent(s) given relating to the use of the Service. In such an event the Data Controller will provide an explanation to the Data Processor setting out the reason behind the withdrawal. The Data Processor cannot guarantee that the 24SevenOffice Service will function without these approvals. Any dysfunctions in the 24SevenOffice Service as a result of withdrawn approval, does not affect the term of the Agreement.
6. Use of API and 3.parties
The Data Processor is not responsible for personal data processed by 3. parties through the Data Processors API. It is the Data Controllers obligation to read and accept any terms or consents made available from any 3. party.
7. Security and audits
The Data Processor shall implement and use technical and organizational security measures in such a way that processing will meet the requirements of the Personal Data Regulation and appropriate to prevent the harm which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected. The Data Processor shall comply with the requirements to security given in the Personal Data Regulation. The Data Processor shall provide documentation of technical and organizational measures implemented to ensure the security of the personal data upon the request of the Data Controller. A Statement of Applicability (SOA) report can be displayed on request, as such documentation.
Security audits shall be performed regularly by the Data Processor. Audits may comprise review of routines and processes, inspections, tests, more comprehensive controls and other relevant control activities. Eventually additional audits requested by Data Controller shall be at Data Controllers cost and at timing agreed upon between the parties. The Data Processor may refer to completed similar audits as an alternative.
8. Notification of a Personal data breach
If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall at least contain the following information:
• description of the Personal Data Breach including summary of the incident that caused the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
• description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s);
• description of the measures proposed or taken by the Data Processor and/or the subcontractor, as applicable, to address the Personal Data Breach;
• description of any further information which may be relevant in relation to the Personal Data Breach or its mitigation, especially information which the Data Controller identified as relevant information earlier.
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
Notice will be posted inside the 24SevenOffice Service, or by mail or phone if the breach only affect individual Data Controllers. The Data Processor’s Technical Customer Service shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
Depending on the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor does not have to make a report to any Data Protection Authority unless this is expressly required by applicable law or the Data Controller approved or instructed to do so. The Data Processor shall, without undue delay, notify the Data Controller if it receives a request from any data protection authority or other governmental body requiring the Data Processor or any of its subprocessors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable laws.
9. Storage and transfer
Personal Data covered by this Agreement will only be stored at locations listed in the Privacy Statement 10. Where does 24SevenOffice process and store data?. How long the data is stored and the terms for deletion of data is covered in 11. How long does 24SevenOffice store data – Deletion of Personal data. Personal data shall only be transferred to third countries, i.e. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Data Controller. The Data Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval by the Data Controller. The consent or instruction given by the Data Controller must cover the country which the personal data shall be transferred to or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.
The Data Processor is hereby authorized by the Data Controller to use any relevant approved subprocessor (subcontractor) on Data Controller’s behalf for the above mentioned purpose and for any relevant approved territory. The processing of the Personal Data shall only take place in technological environments approved by the Data Processor and approved subprocessors in the approved territory. The Data Processor shall ensure that any processing of personal data by a subprocessor complies with the requirements set out under this Agreement. This includes verifying that the security measures implemented by a subprocessor ensure at least the equivalent level of protection to that required of the Data Processor under this Agreement. Any subprocessor shall be informed of the Data Processors obligations under this Agreement and the obligations under the Personal Data Regulation, and the subprocessor shall be imposed the same obligations as the Data Processor set forth in the Agreement in a binding agreement where in particular the subprocessor is providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Any additions or changes of subprocessor that process personal data will be informed to the Data Controller through 24SevenOffice channels. By continuing to use the Service after such information is given is regarded to be an acceptance of the addition/change. For a list subprocessors is available on this link. For a list of details about approved territory, see Privacy Statement 10. Where does 24SevenOffice process and store data?
11. Term and Terminations
This Agreement shall be effective and stay in force as long as the Data Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Customer License Agreement (CLA). In case of breach of this Agreement, the Data Controller may instruct the Data Processor to stop further processing of the information with immediate effect. Upon termination of this Agreement, regardless of reason, The Data Processor shall, at the discretion of the Data Controller, delete or return all Personal data to the Data Controller after the services associated with the processing are delivered, and delete existing copies, unless there is a legal requirement that the Personal Data will continue to be stored. Any export assistance concerning return of Personal data performed by the Data Processor is invoiced according to the Customer License Agreement (CLA). The Data Controller shall receive a confirmation from the Data Processor that the duties in the above paragraph have been complied with.
12. Choice of Law and Dispute regulations
The Customer License Agreement (CLA) regulation with regard to governing law and jurisdiction applies in full for this Agreement.
13. Other duties and rights
Other duties and rights between the parties may be subject to the Customer License Agreement (CLA) or other agreements between the Data Controller and the Data Processor. If the Customer License Agreement (CLA) is transferred, this Agreement shall be transferred accordingly.
Any questions regarding this Agreement shall be sent to privacy (a) 24SevenOffice.com.
Last review: 5 May 2022
Changes to this Data Processor Agreement (log):
5 May 2022
Updated and clarified the description of ‘Personal data to be processed” section. Added a paragraph about the right to assistance from Data Processors to Data Controllers to ensure compliance in ‘Data Processor rights and duties
7 February 2022
The name of the Norwegian personal data legislation is updated in the background paragraph. The Data Controller's responsibility for lawful processing of personal data is clarified under Data Controllers rights and duties. Security and notifications are split into two paragraphs, and the following paragraphs have received a higher number. The security paragraph is updated with the possibility for the Data Controller to request an Statement of Applicability (SOA) report, as a consequence of the approved 24SevenOffice ISO 27001 certification. The paragraph about subcontractors is updated to include a link to the list of subcontractors and how 24SevenOffice notifies about any changes. A last paragraph of contact point at the Data Processor is included.
3 May 2018
Data Processor Agreement first version as a separate addition to the Customer License Agreement (CLA)